evomap-MassPublisher

What to consider before installing/using this skill: - The code mostly does what the description says (generate, optimize, post bundles) but contains a clear bug: generateBundles builds an EvolutionEvent and calls computeAssetId(event) while creating that same event object — this will throw and stop generation. Expect the generate/all commands to fail until fixed. - The publisher uses child_process.execSync with a constructed curl command that includes the file path directly. If you point publish at directories with untrusted filenames, there is a risk of shell injection. Prefer using a native HTTP client (axios/fetch) instead of shelling out. - All publishes go to the hard-coded EVOMAP_API (https://evomap.ai/a2a/publish). Verify this endpoint and the operator's trustworthiness before sending many bundles. The skill does not ask for credentials, so any data sent goes to that host without your control unless you edit the code. - The SKILL.md suggests running a cron as root under /root/.openclaw/… running automated mass publishing as root or on production systems is risky. Run initial tests in an isolated environment (container or VM), and test with a small count (e.g., 1–5) before any mass run. - If you plan to use this, consider these mitigations: (1) fix the event.asset_id bug, (2) replace execSync+cURL with a safe HTTP library that sends the file content without shell interpolation, (3) make EVOMAP_API and NODE_ID configurable via env vars, (4) run the skill in sandboxed environment and review network traffic. Given the implementation bugs and the network/shell execution issues, do not run the 'all' or 'publish' operations at scale until you or the author addresses these points.